Re: [pfSense] 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign • The Register - patch to pfsense?

[Rainer Duffner]

> Am 10.01.2018 um 00:14 schrieb Kyle Marek :
> 
> This contradicts the majority of the purpose of virtualization.


Interesting that you bring it up….

I give you Theo de Raadt in late 2007:


https://marc.info/?l=openbsd-misc=119318909016582 



;-)



Meanwhile, Netgate has published an updated statement:

https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html 





___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Transparent proxy for WiFi users

[Rainer Duffner]

> Am 02.01.2018 um 14:46 schrieb Roberto Carna :
> 
> Dear, I've setup a Squid transparent proxy + Squidgard on pfSEnse 2.4
> in order to filter HTTP and HTTPS web content for different types of
> WiFi clients on my company:
> 
> - Android (different versions)
> - Notebooks Windows 7/10
> - Iphone
> - Etc.
> 
> In some cases, depending on the device Operating System, some apps
> experiment problems, for example Facebook and some others.
> 




Apps that do hardwired Key-Pinning (everything from Apple, Google and probably 
TFB, too) will not work.
You have to make exemptions, AFAIK.

Same for ebanking and related.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Problem with Chrome - HTTP trasnparent proxy with SSL filtering

[Rainer Duffner]

> Am 03.11.2017 um 14:40 schrieb Richard A. Relph :
> 
> I’ve heard Google will be removing certificate pinning from Chrome soon…
> 


Yeah, for public sites. They’ll still make sure nobody can sign anything 
*.google.*, have users import a private root certificate and then sniff 
connections to them.

Not. Gonna. Happen.

Public CAs will also not sign anything that contains the word „google“, BTW.
Most will just silently drop it.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] RRD alternatives

[Rainer Duffner]

> Am 28.02.2017 um 18:06 schrieb Travis Hansen :
> 
> While not entirely the same, I'm working on getting Prometheus node_exporter 
> available inside pfsense.
> https://prometheus.io/
> https://github.com/prometheus/node_exporter
> 
> When prometheus is then combined with grafana dashboards it provides a pretty 
> good experience. Travis hansentravisghan...@yahoo.com 
> 



That would be super-cool.

Please keep us updated.




Rainer

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Unexplained reboots

[Rainer Duffner]

> Am 24.10.2016 um 22:04 schrieb mayak <ma...@australsat.com>:
> 
> On 10/24/2016 09:41 PM, Rainer Duffner wrote:
>> 
>> Does the iLO say something?
>> ECC errors?
>> 
>> Did you do a Firmware Update?
>> 
>> Spontaneous reboots are often hardware-problems.
> Hi Rainer,
> 
> Curiously, the ilo log is showing `server reset`  `server power removed`.
> 
> Wow.
> 
> I have changed power policy to `static lower power mode` instead of `dynamic 
> power saving`
> 
> Let's see if that helps!
> 
> Thanks :-)



Somebody accidentally removed the power-cord?

Or did somebody press the power-off button?




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] How to determine supported packages without installing

[Rainer Duffner]

> Am 18.06.2016 um 01:03 schrieb Steve Yates :
> 
> I suspect package compatibility is not maintained on per-pfSense-version 
> basis.  Meaning, packages worked on 2.x up until the package changes on 2.3, 
> and probably will work on into the future until the next breaking change.
> 
> https://doc.pfsense.org/index.php/Upgrade_Guide#pfSense_2.3_Upgrade_Guide has 
> text:
> See Package Port List for a list of packages currently available on 2.3.
> Links to -> https://doc.pfsense.org/index.php/Package_Port_List
> 
> Also, from the blog entry on the 2.3.1 release:
> https://doc.pfsense.org/index.php/2.3_Removed_Packages



That list is incomplete at best.

I installed bind recently (in a pfSense test-vm). I haven’t tried it, but I 
assume if it’s packaged, it works.

I dare say the current state of the documentation of the project is sub-optimal.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] PFSense for high-bandwith environments

[Rainer Duffner]

> Am 18.02.2016 um 19:13 schrieb Walter Parker :
> 
> There is an optimization coming for pfsense. There is a new user space
> routing daemon. netmap I think, that can reach line rate on 10G NICs (14.88
> Mpps). There was a BSDCon that talked about a future version of pfsense
> using this system. It uses ipfw, so there a bit a work to adapt it to
> pfsense.




Also, AFAIK, chelsio NICs are better in the 10G space.

ESF uses them in some of their appliances (see the shop).
Netflix uses them, too, in their FreeBSD cache-boxes.

They aren’t really that much more expensive than Intel NICs.

I have no experience using them myself.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] WHY: SSL/TLS Diffie-Hellman Modulus = 1024 Bits (Logjam)

[Rainer Duffner]

 
 On investigation, we found the certificate is not the problem as our
 certificate is already 2048 bit.
 
 What else might this be?
 
 Thanks



https://weakdh.org https://weakdh.org/

Out of interest, I looked into this.
I haven’t exposed my web-interface, so I can’t check with ssllabs checker.

Above site recommends:
ssl.dh-file=

and the path to the strong dh-group created by

openssl dhparam -out dhparams.pem 2048


However, this is not included in my configuration:

ssl.engine = enable
ssl.pemfile = /var/etc/cert.pem
ssl.engine = enable
ssl.pemfile = /var/etc/cert.pem
ssl.use-sslv2 = disable
ssl.use-sslv3 = disable
ssl.honor-cipher-order = enable
ssl.cipher-list = 
AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS“


Maybe pfSense is smart enough to figure out that maybe my aging ALIX board is 
just too slow for this?

[2.2.4-RELEASE][r...@pfsense.example.org http://pfsense.example.org/]/tmp: 
time openssl dhparam -out dhparams.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..+..+..++..+..+..++.+.+..+...+.+...+++*++*
unable to write 'random state'
844.901u 0.105s 15:05.79 93.2%  613+197k 0+2io 13pf+0w



I also can’t find any security-advisory on this.




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] GUI performance on an ALIX 2d3

[Rainer Duffner]

 Am 13.08.2015 um 23:28 schrieb Erik Anderson erike...@gmail.com:
 
 Hello all -
 
 I've been running pfSense on my ALIX 2d3 happily for many years now.
 For the most part, it still does its job well. However, with most
 recent release, any changes made in the GUI take a *long* time to
 commit. By long I mean ~2 minutes. That's how long it takes from
 clicking Save to the screen refresh and the Apply changes button
 showing up.
 
 Is this slow GUI performance to be expected? Was there some change in
 v2.2.4 that would have caused this?
 


How much RAM does it have?


 I realize that the 2d3 board is getting quite long in the tooth, so
 perhaps this is just something I need to deal with until I finally
 cave in and purchase an SG-2220.


Mine is a 2D1 (apparently) and has only 128 MB RAM - which apparently is too 
little these days.
Since 2.2.4, I get a warning in the GUI - but because I do nothing fancy with 
it, I don’t see any slowdowns.
Memory-usage and all other parameters seem to be OK, according to the dashboard.


I just checked - I ordered it at the end of September 2008.
It’s going to be seven years old in a couple of weeks.
That’s quite impressive - do you still get firmware-updates for seven year old 
commercial DSL-routers?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Is there a way to version-control the configuration?

[Rainer Duffner]

Hi,

we have a device from another manufacturer (it’s a WAF). Also configured via a 
WEB-Gui.
In there, you make your changes to the configuration and when you’re satisfied 
with it, „commit“ the changes to (what looks like) RCS and subsequently 
activate them.
You can also easily roll-back to previous saved configurations.

It would be cool if pfSense supported a feature of this kind.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Got an alert after updating to 2.2.4

[Rainer Duffner]

 Am 31.07.2015 um 08:38 schrieb Chris Buechler c...@pfsense.com:
 
 On Thu, Jul 30, 2015 at 5:34 PM, Rainer Duffner rai...@ultra-secure.de 
 wrote:
 php: rc.bootup: New alert found: pfSense requires at least 128 MB of RAM. 
 Expect unusual performance. This platform is not supported.
 
 I have an Alix board:
 
 
 CPU: Geode(TM) Integrated Processor by AMD PCS (431.65-MHz 586-class CPU)
  Origin = AuthenticAMD  Id = 0x5a2  Family = 0x5  Model = 0xa  Stepping = 2
  Features=0x88a93dFPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CLFLUSH,MMX
  AMD Features=0xc040MMX+,3DNow!+,3DNow!
 real memory  = 134217728 (128 MB)
 avail memory = 94752768 (90 MB)
 
 So, is the Alix deprecated?
 
 
 The 128 MB ones, yes. Have been for a long time. We've stated 256 MB
 as the minimum supported since one of the 1.2.x releases, at least 6-7
 years ago.
 
 Sure it wasn't showing the same before?


No, never.


 Maybe some change in FreeBSD
 10.1 made the avail memory less than it was previously. It warns at
 less than 101 MB avail (which was generally enough to not warn on
 systems with 128 MB real).
 
 If you're running nothing beyond the defaults on a small network, 128
 MB might be OK. But forget about running any type of VPN, or much of
 anything outside of defaults.


It’s a bit a shame.
I just use it as a glorified router (minus all the security-vulnerabilities of 
COTS-routers, of course).

My VDSL is only 20 MBit / 2Mbit - and I doubt that I get Fibre in my little 
village here any time in the future (unless the Swisscom CEO moves here).
So, while I’d like to upgrade to one of the SG boxes, it doesn’t make much 
sense - even though the spec-sheet looks great.


For now, it works OK, I don’t see any problems.
I think I bought this in 2008 or so. 
Try getting an update for a consumer router from 2008…

How long do you foresee software-support for the SG devices?



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Got an alert after updating to 2.2.4

[Rainer Duffner]

php: rc.bootup: New alert found: pfSense requires at least 128 MB of RAM. 
Expect unusual performance. This platform is not supported.

I have an Alix board:


CPU: Geode(TM) Integrated Processor by AMD PCS (431.65-MHz 586-class CPU)
  Origin = AuthenticAMD  Id = 0x5a2  Family = 0x5  Model = 0xa  Stepping = 2
  Features=0x88a93dFPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CLFLUSH,MMX
  AMD Features=0xc040MMX+,3DNow!+,3DNow!
real memory  = 134217728 (128 MB)
avail memory = 94752768 (90 MB)

So, is the Alix deprecated?


Or is the warning a FP?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Loading pfSense on Netgate 1U rack mount server c2758

[Rainer Duffner]

 Am 02.07.2015 um 20:31 schrieb Paul Upson pmup...@thewestmoreland.org:
 
 I recently purchased this device and am now trying to load pfSense onto it
 using a usb stick. Each time the load fails with the following error.
 Mounting from cd9660:/dev/iso9660/PFSENSE fails with error 19. I found a
 post that said to add the command set kern.cam.boot_delay=1 but it
 doesn't change the result. I need a resolution soon.



Tried a different USB stick?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Difference between APU4 and APU1C4

[Rainer Duffner]

Am 22.07.2014 um 21:29 schrieb Nickolai Leschov nlesc...@gmail.com:

 The difference is not $200, but about $100 with 8GB Sandisk Extreme Secure 
 [sic!] SDHC card included.
 
 1. What's secure about this card? I suppose it's a regular SDHC one.
 
 2. I would like to pay less, but I'm worried about assembling it right with 
 regards to cooling. Can anyone clarify how is cooling achieved in this unit?


http://pcengines.ch/apu.htm


Cooling:   Conductive cooling from the CPU and south bridge to the 
enclosure using a 3 mm alu heat spreader.“

If assembly is similar to that of ALIX-boards, it’s not difficult.

I bought my first pcengines device fully assembled, too.
But back then, you had to drill your own holes etc.

So, if you’re unsure - there is value in buying it fully assembled and tested 
and with support.

How much is your time worth?


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] The Heartbleed Bug, CVE-2014-0160

[Rainer Duffner]

Am 08.04.2014 um 21:04 schrieb Jim Thompson j...@smallworks.com:

 
 Well, that’s the point, Paul.  (You hit the nail on the head.)
 
 If you don’t have an openssl service exposed, the problem doesn’t affect you.
 
 Since normally the web GUI isn’t exposed to the WAN, the attack surface is 
 minimized.
 
 We are working at cutting a new release.



Hi,

according to:

http://www.kb.cert.org/vuls/id/BLUU-9HY33E

only FreeBSD 10 is affected.

There are binary updates for FreeBSD 10 available, just no advisory-text.
No update for FreeBSD 9.1




___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Hardware requirements for gigabit wirespead

[Rainer Duffner]

Am Fri, 25 Oct 2013 10:08:14 +0200
schrieb Eugen Leitl eu...@leitl.org:

 On Thu, Oct 24, 2013 at 07:18:28PM -0500, Jim Thompson wrote:
 
  The topic has wandered away from pfSense. 
 
 It is rather interesting though, so please don't kill that
 thread just yet.


Indeed.
I'd like to add that AFAIK, for pure firewalling, single-thread
performance is most important as pf(4) is not yet multi-threaded.
FreeBSD 10 seems to change that, but it will be some time before it
shows up in a production pfSense image, I guess ;-)
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] not all backdoors are NSA backdoors

[Rainer Duffner]

Am Tue, 15 Oct 2013 12:24:42 +0100
schrieb Vincent Hoffman vi...@unsane.co.uk:

 pkgng allows signed binary packages on FreeBSD and poudriere makes
 maintaining a repo stupidly simple if that helps.
 https://glenbarber.us/2012/06/11/Maintaining-Your-Own-pkgng-Repository.html


AFAIK, it's not an X509 certificate, but a simple key.

I don't know what the state of support for GPG-signing or full X509
support is.
Supposedly, the priorities lie elsewhere.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Blocking HTTPS Attachments only

[Rainer Duffner]

Am 15.05.2013 um 20:46 schrieb Mr. Parkis scottpar...@yahoo.com:

 pfsense newbie here -
 
 Is there a way to block users from sending attachments via webmail (HTTPS)  - 
 I do not want to block access to personal mail accounts. Just the ability for 
 users to send attachments via.
 
 so all users can access their gmail, yahoo, aol, hotmail... or whatever 
 personal site they have (bluehost provided webmail account)
 
 they can send email but I would like to block attachments. Any way I can do 
 this


No.

Sorry for the short answer, but intercepting and filtering https-communication 
is not possible with pfsense (nor is it with most commercial software).
It is very difficult to lock down a network in such a way that no undesired 
packet leaves it.

There is for example software that will create a tunnel through your firewall 
just by DNS - it will be slow, but it will be enough to remote-control a 
workstation and transfer files.
It's professional pen-testers favorite tool to stump their clients...
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Getting started with IPv6

[Rainer Duffner]

Am 16.04.2012 um 20:36 schrieb Seth Mos:

 Hi there,
 
 Something of a nutshell series here, I'm probably not explaining a lot but 
 would like to point out a few of the largest handles on this IPv6 thing 
 people keep complaining talking about.




I wish to say that this is an extremely helpful posting.

Thanks a lot.


Rainer___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] VDSL - need a reboot to activate

[Rainer Duffner]

Hi,

I recently changed from ADSL to VDSL (in Switzerland).
After some issues with the cabling, I got it to work eventually.
Yesterday, I realized that to get it to work, I have to reboot the ALIX that 
pfSense 2.0 runs on.

I plugin the zyxel bridge, wait till it has synchronized with the DSLAM, then 
plug in the pfSense into the bridge.
The PPPoE log just shows timeouts.
Then, after a reboot, it works without a hitch.

Is this a known bug?
I never had that with ADSL.

Anyway, thanks for pfSense. I now just need a faster wireless access-point ;-)



___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Direct purchase of pfSense book pdf

[Rainer Duffner]

Am Fri, 30 Sep 2011 10:57:03 +0200
schrieb David Brown da...@westcontrol.com:

 On 30/09/2011 09:50, Chris Buechler wrote:
  On Fri, Sep 30, 2011 at 3:24 AM, David
  Brownda...@westcontrol.com  wrote:
  Hi,
 
  Is it possible to buy a copy of the pfSense book as a pdf file,
  with the money going directly to the pfSense project (or the
  book's authors)? That would be more convenient for me for
  reference, faster delivery (it will take a couple of weeks to get
  the paper book to Norway), more environmentally friendly, more
  up-to-date (assuming the book is being updated for 2.0), and gives
  the money to the people who did the pfSense work.
 
 
  By contract, we don't have that option for the current edition.
  There is a Kindle version available. I expect we will for the next
  edition though (ETA unknown but it'll be available electronically
  in parts for purchase of some kind before it's completely finished
  and in print).
 
 
 For various reasons (which would be way off-topic here), Kindle is
 not an option for me.
 
 I can understand that there are reasons for different models for
 books, with different types of contracts, different people wanting to
 get paid (you, as authors, can get money for a directly purchased pdf
 file - but there are probably editors, marketers and other people
 whose income is more connected to printed versions).
 
 I would certainly be happy to pay for an electronic version of the
 book 
 - but it must be in a free and open format.  Typically that means a 
 normal pdf file - it is important that it can be easily read and 
 searched on a variety of platforms without needing specific software.
 
 Of course, that makes it more difficult to make sure people are
 honest, and pay for the book (you guys need to eat too - coffee and
 pizza cost real money!).  One solution that I have seen on a
 different project is that when you buy a pdf book, it is watermarked
 with the purchaser's name and/or company.  This makes it easy for the
 purchaser to use the book themselves, but they will be very unlikely
 to spread it around to others.


If you're really that desperate to get your hands on a PDF, I would
order the book (dead tree version) and then download a torrent of the
PDF.
You can find them all over.

Keep the order, because a lot of people forget to order the book once
they have the PDF ;-)

Or try to find someone in Norway/Europe who owns it and will sell it to
you.

Maybe ask on the FreeBSD-forum?




Rainer
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Direct purchase of pfSense book pdf

[Rainer Duffner]

Am Fri, 30 Sep 2011 14:24:58 +0200
schrieb David Brown da...@westcontrol.com:


 The thought had occurred to me, but I didn't like to mention it :-)

For obvious reasons.
I do own the paper version (and only the paper version), just for the
record.
;-)

And I do know that book-piracy is a big problem especially for books
with a small circulation.

The media like to concentrate on movies and songs.
But the real victims are authors and publishers of non-blockbuster
books.




___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list